CVE-2024-41340
Published: 27 February 2025
Description
An issue in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload crafted APP Enforcement modules, leading to arbitrary code execution.
Security Summary
CVE-2024-41340 is an unrestricted file upload vulnerability (CWE-434) affecting multiple Draytek Vigor router models, including Vigor 165/166 prior to v4.2.6, Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6. The flaw enables attackers to upload crafted APP Enforcement modules, resulting in arbitrary code execution on the device.
The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited by local attackers with low complexity, no privileges, and no user interaction required. Successful exploitation grants high-impact arbitrary code execution, potentially allowing full compromise of the router's confidentiality, integrity, and availability.
Advisories from Draytek (http://draytek.com) and a Faraday Labs report (https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946) recommend updating to the specified patched firmware versions for each affected model to mitigate the issue.
Details
- CWE(s)